Merge branch 'master' into new-eventstore

# Conflicts:
#	go.sum

pkg/grpc/admin/proto/admin.proto

@@ -853,7 +853,8 @@ message View {
     string database = 1;
     string view_name = 2;
     uint64 processed_sequence = 3;
-    google.protobuf.Timestamp view_timestamp = 4;
+    google.protobuf.Timestamp event_timestamp = 4;
+    google.protobuf.Timestamp last_successful_spooler_run = 5;
 }
 
 message IdpID {
@@ -998,6 +999,7 @@ message DefaultLoginPolicy {
     google.protobuf.Timestamp creation_date = 4;
     google.protobuf.Timestamp change_date = 5;
     bool force_mfa = 6;
+    PasswordlessType passwordless_type = 7;
 }
 
 message DefaultLoginPolicyRequest {
@@ -1005,6 +1007,12 @@ message DefaultLoginPolicyRequest {
     bool allow_register = 2;
     bool allow_external_idp = 3;
     bool force_mfa = 4;
+    PasswordlessType passwordless_type = 5;
+}
+
+enum PasswordlessType {
+    PASSWORDLESSTYPE_NOT_ALLOWED = 0;
+    PASSWORDLESSTYPE_ALLOWED = 1;
 }
 
 message IdpProviderID {
@@ -1018,6 +1026,7 @@ message DefaultLoginPolicyView {
     google.protobuf.Timestamp creation_date = 4;
     google.protobuf.Timestamp change_date = 5;
     bool force_mfa = 6;
+    PasswordlessType passwordless_type = 7;
 }
 
 message IdpProviderView {

pkg/grpc/auth/mock/auth.proto.mock.go

@@ -56,6 +56,46 @@ func (mr *MockAuthServiceClientMockRecorder) AddMfaOTP(arg0, arg1 interface{}, a
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMfaOTP", reflect.TypeOf((*MockAuthServiceClient)(nil).AddMfaOTP), varargs...)
 }
 
+// AddMyMfaU2F mocks base method
+func (m *MockAuthServiceClient) AddMyMfaU2F(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*auth.WebAuthNResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "AddMyMfaU2F", varargs...)
+	ret0, _ := ret[0].(*auth.WebAuthNResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AddMyMfaU2F indicates an expected call of AddMyMfaU2F
+func (mr *MockAuthServiceClientMockRecorder) AddMyMfaU2F(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMyMfaU2F", reflect.TypeOf((*MockAuthServiceClient)(nil).AddMyMfaU2F), varargs...)
+}
+
+// AddMyPasswordless mocks base method
+func (m *MockAuthServiceClient) AddMyPasswordless(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*auth.WebAuthNResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "AddMyPasswordless", varargs...)
+	ret0, _ := ret[0].(*auth.WebAuthNResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AddMyPasswordless indicates an expected call of AddMyPasswordless
+func (mr *MockAuthServiceClientMockRecorder) AddMyPasswordless(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMyPasswordless", reflect.TypeOf((*MockAuthServiceClient)(nil).AddMyPasswordless), varargs...)
+}
+
 // ChangeMyPassword mocks base method
 func (m *MockAuthServiceClient) ChangeMyPassword(arg0 context.Context, arg1 *auth.PasswordChange, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
 	m.ctrl.T.Helper()
@@ -416,6 +456,46 @@ func (mr *MockAuthServiceClientMockRecorder) RemoveMyExternalIDP(arg0, arg1 inte
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMyExternalIDP", reflect.TypeOf((*MockAuthServiceClient)(nil).RemoveMyExternalIDP), varargs...)
 }
 
+// RemoveMyMfaU2F mocks base method
+func (m *MockAuthServiceClient) RemoveMyMfaU2F(arg0 context.Context, arg1 *auth.WebAuthNTokenID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "RemoveMyMfaU2F", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// RemoveMyMfaU2F indicates an expected call of RemoveMyMfaU2F
+func (mr *MockAuthServiceClientMockRecorder) RemoveMyMfaU2F(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMyMfaU2F", reflect.TypeOf((*MockAuthServiceClient)(nil).RemoveMyMfaU2F), varargs...)
+}
+
+// RemoveMyPasswordless mocks base method
+func (m *MockAuthServiceClient) RemoveMyPasswordless(arg0 context.Context, arg1 *auth.WebAuthNTokenID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "RemoveMyPasswordless", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// RemoveMyPasswordless indicates an expected call of RemoveMyPasswordless
+func (mr *MockAuthServiceClientMockRecorder) RemoveMyPasswordless(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMyPasswordless", reflect.TypeOf((*MockAuthServiceClient)(nil).RemoveMyPasswordless), varargs...)
+}
+
 // RemoveMyUserPhone mocks base method
 func (m *MockAuthServiceClient) RemoveMyUserPhone(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
 	m.ctrl.T.Helper()
@@ -596,6 +676,46 @@ func (mr *MockAuthServiceClientMockRecorder) VerifyMfaOTP(arg0, arg1 interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyMfaOTP", reflect.TypeOf((*MockAuthServiceClient)(nil).VerifyMfaOTP), varargs...)
 }
 
+// VerifyMyMfaU2F mocks base method
+func (m *MockAuthServiceClient) VerifyMyMfaU2F(arg0 context.Context, arg1 *auth.VerifyWebAuthN, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "VerifyMyMfaU2F", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// VerifyMyMfaU2F indicates an expected call of VerifyMyMfaU2F
+func (mr *MockAuthServiceClientMockRecorder) VerifyMyMfaU2F(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyMyMfaU2F", reflect.TypeOf((*MockAuthServiceClient)(nil).VerifyMyMfaU2F), varargs...)
+}
+
+// VerifyMyPasswordless mocks base method
+func (m *MockAuthServiceClient) VerifyMyPasswordless(arg0 context.Context, arg1 *auth.VerifyWebAuthN, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "VerifyMyPasswordless", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// VerifyMyPasswordless indicates an expected call of VerifyMyPasswordless
+func (mr *MockAuthServiceClientMockRecorder) VerifyMyPasswordless(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyMyPasswordless", reflect.TypeOf((*MockAuthServiceClient)(nil).VerifyMyPasswordless), varargs...)
+}
+
 // VerifyMyUserEmail mocks base method
 func (m *MockAuthServiceClient) VerifyMyUserEmail(arg0 context.Context, arg1 *auth.VerifyMyUserEmailRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
 	m.ctrl.T.Helper()

pkg/grpc/auth/proto/auth.proto

@@ -244,12 +244,12 @@ service AuthService {
 
   rpc GetMyPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicy) {
     option (google.api.http) = {
-            get: "/policies/passwords/complexity"
-        };
+      get: "/policies/passwords/complexity"
+    };
 
     option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "authenticated"
-        };
+      permission: "authenticated"
+    };
   }
 
   //ExternalIDP
@@ -306,6 +306,68 @@ service AuthService {
     };
   }
 
+  rpc AddMyMfaU2F(google.protobuf.Empty) returns (WebAuthNResponse) {
+    option (google.api.http) = {
+      post: "/users/me/mfas/u2f"
+      body: "*"
+    };
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc VerifyMyMfaU2F(VerifyWebAuthN) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      put: "/users/me/mfas/u2f/_verify"
+      body: "*"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc RemoveMyMfaU2F(WebAuthNTokenID) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/users/me/mfas/u2f/{id}"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc AddMyPasswordless(google.protobuf.Empty) returns (WebAuthNResponse) {
+    option (google.api.http) = {
+      post: "/users/me/passwordless"
+      body: "*"
+    };
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc VerifyMyPasswordless(VerifyWebAuthN) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      put: "/users/me/passwordless/_verify"
+      body: "*"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc RemoveMyPasswordless(WebAuthNTokenID) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/users/me/passwordless/{id}"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
   rpc SearchMyUserGrant(UserGrantSearchRequest) returns (UserGrantSearchResponse) {
     option (google.api.http) = {
       post: "/usergrants/me/_search"
@@ -578,8 +640,8 @@ message PasswordChange {
 
 enum MfaType {
   MFATYPE_UNSPECIFIED = 0;
-  MFATYPE_SMS = 1;
-  MFATYPE_OTP = 2;
+  MFATYPE_OTP = 1;
+  MFATYPE_U2F = 2;
 }
 
 message VerifyMfaOtp {
@@ -593,6 +655,7 @@ message MultiFactors {
 message MultiFactor {
   MfaType type = 1;
   MFAState state = 2;
+  string attribute = 3;
 }
 
 message MfaOtpResponse {
@@ -602,6 +665,21 @@ message MfaOtpResponse {
   MFAState state = 4;
 }
 
+message WebAuthNResponse {
+  string id = 1;
+  bytes public_key = 2;
+  MFAState state = 3;
+}
+
+message VerifyWebAuthN {
+  bytes public_key_credential = 1;
+  string token_name = 2;
+}
+
+message WebAuthNTokenID {
+  string id = 1;
+}
+
 enum MFAState {
   MFASTATE_UNSPECIFIED = 0;
   MFASTATE_NOT_READY = 1;
@@ -691,7 +769,7 @@ enum SearchMethod {
 }
 
 message ChangesRequest {
-  uint64 limit= 1;
+  uint64 limit = 1;
   uint64 sequence_offset = 2;
   bool asc = 3;
 }

pkg/grpc/management/proto/management.proto

@@ -2033,8 +2033,8 @@ message UserMultiFactor {
 
 enum MfaType {
   MFATYPE_UNSPECIFIED = 0;
-  MFATYPE_SMS = 1;
-  MFATYPE_OTP = 2;
+  MFATYPE_OTP = 1;
+  MFATYPE_U2F = 2;
 }
 
 enum MFAState {
@@ -3064,6 +3064,7 @@ message LoginPolicy {
   google.protobuf.Timestamp creation_date = 4;
   google.protobuf.Timestamp change_date = 5;
   bool force_mfa = 6;
+  PasswordlessType passwordless_type = 7;
 }
 
 message LoginPolicyRequest {
@@ -3071,6 +3072,12 @@ message LoginPolicyRequest {
   bool allow_register = 2;
   bool allow_external_idp = 3;
   bool force_mfa = 4;
+  PasswordlessType passwordless_type = 5;
+}
+
+enum PasswordlessType {
+  PASSWORDLESSTYPE_NOT_ALLOWED = 0;
+  PASSWORDLESSTYPE_ALLOWED = 1;
 }
 
 message IdpProviderID {
@@ -3095,6 +3102,7 @@ message LoginPolicyView {
   google.protobuf.Timestamp creation_date = 5;
   google.protobuf.Timestamp change_date = 6;
   bool force_mfa = 7;
+  PasswordlessType passwordless_type = 8;
 }
 
 message IdpProviderView {